diff options
Diffstat (limited to 'docs/htmldocs/domain-security.html')
| -rw-r--r-- | docs/htmldocs/domain-security.html | 227 |
1 files changed, 94 insertions, 133 deletions
diff --git a/docs/htmldocs/domain-security.html b/docs/htmldocs/domain-security.html index 670d96ba5f..fcb40641e4 100644 --- a/docs/htmldocs/domain-security.html +++ b/docs/htmldocs/domain-security.html @@ -2,11 +2,10 @@ <HTML ><HEAD ><TITLE ->Samba as a NT4 domain member</TITLE +>Samba as a NT4 or Win2k domain member</TITLE ><META NAME="GENERATOR" -CONTENT="Modular DocBook HTML Stylesheet Version 1.76b+ -"><LINK +CONTENT="Modular DocBook HTML Stylesheet Version 1.77+"><LINK REL="HOME" TITLE="SAMBA Project Documentation" HREF="samba-howto-collection.html"><LINK @@ -73,19 +72,23 @@ WIDTH="100%"></DIV CLASS="CHAPTER" ><H1 ><A -NAME="DOMAIN-SECURITY">Chapter 9. Samba as a NT4 domain member</H1 +NAME="DOMAIN-SECURITY" +></A +>Chapter 8. Samba as a NT4 or Win2k domain member</H1 ><DIV CLASS="SECT1" ><H1 CLASS="SECT1" ><A -NAME="AEN1273">9.1. Joining an NT Domain with Samba 2.2</H1 +NAME="AEN1423" +></A +>8.1. Joining an NT Domain with Samba 3.0</H1 ><P ->Assume you have a Samba 2.x server with a NetBIOS name of +>Assume you have a Samba 3.0 server with a NetBIOS name of <TT CLASS="CONSTANT" >SERV1</TT -> and are joining an NT domain called +> and are joining an or Win2k NT domain called <TT CLASS="CONSTANT" >DOM</TT @@ -103,107 +106,7 @@ CLASS="CONSTANT" </TT >.</P ><P ->In order to join the domain, first stop all Samba daemons - and run the command:</P -><P -><TT -CLASS="PROMPT" ->root# </TT -><TT -CLASS="USERINPUT" -><B ->smbpasswd -j DOM -r DOMPDC - -U<TT -CLASS="REPLACEABLE" -><I ->Administrator%password</I -></TT -></B -></TT -></P -><P ->as we are joining the domain DOM and the PDC for that domain - (the only machine that has write access to the domain SAM database) - is DOMPDC. The <TT -CLASS="REPLACEABLE" -><I ->Administrator%password</I -></TT -> is - the login name and password for an account which has the necessary - privilege to add machines to the domain. If this is successful - you will see the message:</P -><P -><TT -CLASS="COMPUTEROUTPUT" ->smbpasswd: Joined domain DOM.</TT -> - </P -><P ->in your terminal window. See the <A -HREF="smbpasswd.8.html" -TARGET="_top" -> smbpasswd(8)</A -> man page for more details.</P -><P ->There is existing development code to join a domain - without having to create the machine trust account on the PDC - beforehand. This code will hopefully be available soon - in release branches as well.</P -><P ->This command goes through the machine account password - change protocol, then writes the new (random) machine account - password for this Samba server into a file in the same directory - in which an smbpasswd file would be stored - normally :</P -><P -><TT -CLASS="FILENAME" ->/usr/local/samba/private</TT -></P -><P ->In Samba 2.0.x, the filename looks like this:</P -><P -><TT -CLASS="FILENAME" -><TT -CLASS="REPLACEABLE" -><I -><NT DOMAIN NAME></I -></TT ->.<TT -CLASS="REPLACEABLE" -><I -><Samba - Server Name></I -></TT ->.mac</TT -></P -><P ->The <TT -CLASS="FILENAME" ->.mac</TT -> suffix stands for machine account - password file. So in our example above, the file would be called:</P -><P -><TT -CLASS="FILENAME" ->DOM.SERV1.mac</TT -></P -><P ->In Samba 2.2, this file has been replaced with a TDB - (Trivial Database) file named <TT -CLASS="FILENAME" ->secrets.tdb</TT ->. - </P -><P ->This file is created and owned by root and is not - readable by any other user. It is the key to the domain-level - security for your system, and should be treated as carefully - as a shadow password file.</P -><P ->Now, before restarting the Samba daemons you must - edit your <A +>Firstly, you must edit your <A HREF="smb.conf.5.html" TARGET="_top" ><TT @@ -228,7 +131,12 @@ CLASS="PARAMETER" ><B CLASS="COMMAND" >security = domain</B -></P +> or + <B +CLASS="COMMAND" +>security = ads</B +> depending on if the PDC is + NT4 or running Active Directory respectivly.</P ><P >Next change the <A HREF="smb.conf.5.html#WORKGROUP" @@ -295,11 +203,77 @@ CLASS="COMMAND" >password server = *</B ></P ><P ->This method, which was introduced in Samba 2.0.6, - allows Samba to use exactly the same mechanism that NT does. This +>This method, allows Samba to use exactly the same + mechanism that NT does. This method either broadcasts or uses a WINS database in order to find domain controllers to authenticate against.</P ><P +>In order to actually join the domain, you must run this + command:</P +><P +><TT +CLASS="PROMPT" +>root# </TT +><TT +CLASS="USERINPUT" +><B +>net join -S DOMPDC + -U<TT +CLASS="REPLACEABLE" +><I +>Administrator%password</I +></TT +></B +></TT +></P +><P +>as we are joining the domain DOM and the PDC for that domain + (the only machine that has write access to the domain SAM database) + is DOMPDC. The <TT +CLASS="REPLACEABLE" +><I +>Administrator%password</I +></TT +> is + the login name and password for an account which has the necessary + privilege to add machines to the domain. If this is successful + you will see the message:</P +><P +><TT +CLASS="COMPUTEROUTPUT" +>Joined domain DOM.</TT +> + or <TT +CLASS="COMPUTEROUTPUT" +>Joined 'SERV1' to realm 'MYREALM'</TT +> + </P +><P +>in your terminal window. See the <A +HREF="net.8.html" +TARGET="_top" +> net(8)</A +> man page for more details.</P +><P +>This process joins the server to thedomain + without having to create the machine trust account on the PDC + beforehand.</P +><P +>This command goes through the machine account password + change protocol, then writes the new (random) machine account + password for this Samba server into a file in the same directory + in which an smbpasswd file would be stored - normally :</P +><P +><TT +CLASS="FILENAME" +>/usr/local/samba/private/secrets.tdb</TT +></P +><P +>This file is created and owned by root and is not + readable by any other user. It is the key to the domain-level + security for your system, and should be treated as carefully + as a shadow password file.</P +><P >Finally, restart your Samba daemons and get ready for clients to begin using domain security!</P ></DIV @@ -308,30 +282,23 @@ CLASS="SECT1" ><H1 CLASS="SECT1" ><A -NAME="AEN1337">9.2. Samba and Windows 2000 Domains</H1 +NAME="AEN1478" +></A +>8.2. Samba and Windows 2000 Domains</H1 ><P >Many people have asked regarding the state of Samba's ability to participate in a Windows 2000 Domain. Samba 3.0 is able to act as a member server of a Windows -2000 domain operating in mixed or native mode.</P -><P ->There is much confusion between the circumstances that require a "mixed" mode -Win2k DC and a when this host can be switched to "native" mode. A "mixed" mode -Win2k domain controller is only needed if Windows NT BDCs must exist in the same -domain. By default, a Win2k DC in "native" mode will still support -NetBIOS and NTLMv1 for authentication of legacy clients such as Windows 9x and -NT 4.0. Samba has the same requirements as a Windows NT 4.0 member server.</P -><P ->The steps for adding a Samba 2.2 host to a Win2k domain are the same as those -for adding a Samba server to a Windows NT 4.0 domain. The only exception is that -the "Server Manager" from NT 4 has been replaced by the "Active Directory Users and -Computers" MMC (Microsoft Management Console) plugin.</P +2000 domain operating in mixed or native mode. The steps above apply +to both NT4 and Windows 2000.</P ></DIV ><DIV CLASS="SECT1" ><H1 CLASS="SECT1" ><A -NAME="AEN1342">9.3. Why is this better than security = server?</H1 +NAME="AEN1481" +></A +>8.3. Why is this better than security = server?</H1 ><P >Currently, domain security in Samba doesn't free you from having to create local Unix users to represent the users attaching @@ -387,13 +354,7 @@ CLASS="COMMAND" >And finally, acting in the same manner as an NT server authenticating to a PDC means that as part of the authentication reply, the Samba server gets the user identification information such - as the user SID, the list of NT groups the user belongs to, etc. All - this information will allow Samba to be extended in the future into - a mode the developers currently call appliance mode. In this mode, - no local Unix users will be necessary, and Samba will generate Unix - uids and gids from the information passed back from the PDC when a - user is authenticated, making a Samba server truly plug and play - in an NT domain environment. Watch for this code soon.</P + as the user SID, the list of NT groups the user belongs to, etc. </P ><P ><SPAN CLASS="emphasis" |